- New ExpressVPN Products Pass Third-Party Review
- This brings its independent audits to 27.
- Some problems of medium severity were identified.
ExpressVPN is celebrating the results of a new independent audit by cybersecurity firm Cure53, bringing its total number of third-party evaluations to a whopping 27.
The new audits were completed on two products launched by one of the The best VPNs on the market, a few months ago: ExpressMailGuard, a service that provides unlimited email aliases, and Identity Defender, an identity protection application.
Curve53 gave the green light without reporting significant vulnerabilities. However, he highlighted several areas that required further attention. More details below.
While it’s not a clean sweep this time around, these findings highlight why independent audits are now crucial for any trusted provider looking to offer a truly secure VPN service to their customers. In this context, an independent audit is not just about a software passing a test the first time, but rather an open commitment to address any architectural issues that may arise.
ExpressVPN is a veteran when it comes to third-party testing. Since its first audit in 2018, its products have been consistently reviewed by several renowned firms, including PwC, Cure53 and KPMG, earning four ISO certifications and reflecting a growing commitment to responsibility that goes far beyond industry standards.
“Every product we create that touches user data is handed over to independent researchers whose job it is to decrypt it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed,” said Aaron Engel, CSO of ExpressVPN – words to live by when it comes to VPNs.
What did Cure53 find?
Curve53 conducted comprehensive source code reviews and infrastructure assessments for both products, from user interfaces and email processing capabilities to backend infrastructure, authentication, personally identifiable information (PII), and data storage.
The investigations were carried out at the beginning of March and lasted a maximum of 18 days.
In the case of ExpressVPN Identity DefenderThe independent auditor identified eleven areas of concern. Of these, seven were classified as “medium” grade security vulnerabilities; issues that do not cause a major impact in any area within their scope.
Two medium severity issues related to storing unencrypted data. In the first case, ExpressVPN passed unencrypted data structures to its registry and, in doing so, prevented its redaction processes from protecting them. In the second, data related to the user’s identity was used for a secondary purpose, thus inadvertently providing hackers with a potential way to triangulate their data.
For ExpressMailGuard, The Cure53 team identified even more problems: a total of thirteen findings. However, of these, only two were classified as direct security vulnerabilities and eleven were classified as more general weaknesses without a direct path to exploitation.
In this case, the only medium-level exploitable vulnerability is related to incorrect processing of sender email address data, an issue that could help a malicious actor spoof emails, among other things.
Other medium severity issues included recipient verification emails being sent to incorrect addresses; It is not a risk in isolation, but is potentially useful in conjunction with another vulnerability.
Curve53’s advice included quickly addressing and resolving these findings, conducting regular testing to identify new risks as they arise, and reporting issues to maintainers when third-party code was involved.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
